7a824660a1b31497984adcdaa1e45888986bbe36a926bba82639311c22f9654e

General

Target

7cc31699933052a476c887cbcd58f0c0N.exe
Size

1.2MB
MD5

7cc31699933052a476c887cbcd58f0c0
SHA1

e785c6ec0f52f904252a2ae5d6fbc8538e57046a
SHA256

7a824660a1b31497984adcdaa1e45888986bbe36a926bba82639311c22f9654e
SHA512

56a3d0d7b72267b7f591b481b8e7a978b969c6df657afc05a2ff4eebfccd24f1feaf937b36128d7464aa4ac466db094defb5469ec5fa88aff1fc2f417101a715
SSDEEP

24576:Suz4KDgy8Nj6BN9YIqUh3a/ZSsa/JX8Fd77Lv+f6T8zr:Jz4KDeONrqUh3gPg+FdbQ

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3200	7cc31699933052a476c887cbcd58f0c0N.exe

Executes dropped EXE 1 IoCs

pid	Process
3200	7cc31699933052a476c887cbcd58f0c0N.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
14	pastebin.com
13	pastebin.com

Program crash 15 IoCs

pid	pid_target	Process	procid_target
2036	4904	WerFault.exe	82
4196	3200	WerFault.exe	90
1912	3200	WerFault.exe	90
512	3200	WerFault.exe	90
636	3200	WerFault.exe	90
3276	3200	WerFault.exe	90
3940	3200	WerFault.exe	90
4872	3200	WerFault.exe	90
3416	3200	WerFault.exe	90
2708	3200	WerFault.exe	90
2572	3200	WerFault.exe	90
3884	3200	WerFault.exe	90
1672	3200	WerFault.exe	90
2976	3200	WerFault.exe	90
3540	3200	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7cc31699933052a476c887cbcd58f0c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7cc31699933052a476c887cbcd58f0c0N.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3200	7cc31699933052a476c887cbcd58f0c0N.exe
3200	7cc31699933052a476c887cbcd58f0c0N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4904	7cc31699933052a476c887cbcd58f0c0N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3200	7cc31699933052a476c887cbcd58f0c0N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 3200	4904	7cc31699933052a476c887cbcd58f0c0N.exe	90
PID 4904 wrote to memory of 3200	4904	7cc31699933052a476c887cbcd58f0c0N.exe	90
PID 4904 wrote to memory of 3200	4904	7cc31699933052a476c887cbcd58f0c0N.exe	90

C:\Users\Admin\AppData\Local\Temp\7cc31699933052a476c887cbcd58f0c0N.exe
"C:\Users\Admin\AppData\Local\Temp\7cc31699933052a476c887cbcd58f0c0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 344
  2⤵
  - Program crash
  PID:2036
- C:\Users\Admin\AppData\Local\Temp\7cc31699933052a476c887cbcd58f0c0N.exe
  C:\Users\Admin\AppData\Local\Temp\7cc31699933052a476c887cbcd58f0c0N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:3200
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 348
    3⤵
    - Program crash
    PID:4196
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 628
    3⤵
    - Program crash
    PID:1912
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 628
    3⤵
    - Program crash
    PID:512
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 628
    3⤵
    - Program crash
    PID:636
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 720
    3⤵
    - Program crash
    PID:3276
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 948
    3⤵
    - Program crash
    PID:3940
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 1424
    3⤵
    - Program crash
    PID:4872
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 1464
    3⤵
    - Program crash
    PID:3416
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 1636
    3⤵
    - Program crash
    PID:2708
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 1520
    3⤵
    - Program crash
    PID:2572
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 1492
    3⤵
    - Program crash
    PID:3884
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 1508
    3⤵
    - Program crash
    PID:1672
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 1464
    3⤵
    - Program crash
    PID:2976
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 1552
    3⤵
    - Program crash
    PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4904 -ip 4904
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3200 -ip 3200
1⤵
PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3200 -ip 3200
1⤵
PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3200 -ip 3200
1⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3200 -ip 3200
1⤵
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3200 -ip 3200
1⤵
PID:1568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3200 -ip 3200
1⤵
PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3200 -ip 3200
1⤵
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3200 -ip 3200
1⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3200 -ip 3200
1⤵
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3200 -ip 3200
1⤵
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3200 -ip 3200
1⤵
PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3200 -ip 3200
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3200 -ip 3200
1⤵
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3200 -ip 3200
1⤵
PID:3736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7cc31699933052a476c887cbcd58f0c0N.exe

Filesize
1.2MB

MD5
77b8040b2c860f688ce6a4b50526b224

SHA1
ed00541bef9a1b083b3d68ec3ed52afcec1b3644

SHA256
ea9467cc03777403a1a0d9a1c2cd56146ba59446d4a2e26d9edf2d79637df078

SHA512
b4127dd43a20d81ed5e8d4967df61cbc2b04b33bef0746e40e05bfc30864c6b05d5820081353d71961fffc817167a8cab1636c2ab37bf4b3f88958a3e3aaeb36

Download Submit
memory/3200-7-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/3200-8-0x0000000005000000-0x0000000005116000-memory.dmp

Filesize
1.1MB

Download
memory/3200-9-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/3200-21-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3200-27-0x000000000B9E0000-0x000000000BA83000-memory.dmp

Filesize
652KB

Download
memory/3200-28-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/4904-0-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/4904-6-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing